CVE-2026-47139

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM supports excluding public network builtins from the wildcard builtin option. With this configuration direct access to http, https, http2, net, dgram, tls, dns, and dns/promises is blocked. However, Node.js also exposes...

Vulnerabilities found in Cisco Catalyst SD-WAN Controllers and Managers

Cisco has identified vulnerabilities in the Catalyst SD-WAN Controller and Manager products. Cisco has uncovered four vulnerabilities in these products. These vulnerabilities involve XXE injection, privilege escalation, and authentication bypass. The authentication bypass vulnerability resides in...

Logging of Excessive Data

Overview pocketmine/pocketmine-mp is a highly customisable, open source server software for Minecraft: Bedrock Edition written in PHP Affected versions of this package are vulnerable to Logging of Excessive Data through the processing of client data JWTs in LoginPacket. An attacker can cause...

EUVD-2024-37660

Malicious code in bioql PyPI...

Azure Block Mode Export Failure Due to NetworkAccessPolicyIsDenyAll with Veeam Kasten

Challenge If using Veeam Kasten to protect persistent volumes provisioned with the Azure Disk CSI provisioner, and encounter the following error during the block mode export phase of a policy run: Failure in exporting restorepoint with log details similar to: Access not permitted for resource...

PT-2025-30105 · Npm · @Cloudflare/Vite-Plugin

Summary Note: originally posted on H1 but closed. Cross-posting over to here in abundance of caution instead of a public issue. When utilising the Cloudflare Vite plugin in its default configuration, all files are exposed by the local dev server, including files in the root directory that contain...

CVE-2024-10306

A vulnerability was found in modproxycluster. The issue is that the directive should be replaced by the directive as the former does not restrict IP/host access as Require ip IPADDRESS would suggest. This means that anyone with access to the host might send MCMP requests that may result in...

CVE-2024-10306 Mod_proxy_cluster: mod_proxy_cluster unauthorized mcmp requests

A vulnerability was found in modproxycluster. The issue is that the directive should be replaced by the directive as the former does not restrict IP/host access as Require ip IPADDRESS would suggest. This means that anyone with access to the host might send MCMP requests that may result in...

CVE-2024-10306

CVE-2024-10306 affects the mod_proxy_cluster module (Apache HTTP Server). The issue arises because the Directory directive does not enforce access restrictions as strongly as the Location directive, enabling unauthorized MCMP requests that could add/remove/update balancer nodes. Public exploit de...

PT-2025-17610 · Unknown +2 · Mod Proxy Cluster +2

Name of the Vulnerable Software and Affected Versions: mod proxy cluster affected versions not specified Description: A vulnerability was found in mod proxy cluster, where the directive does not restrict IP/host access as Require ip IP ADDRESS would suggest, allowing anyone with access to the hos...

CVE-2024-38879

A vulnerability has been identified in Omnivise T3000 Application Server R9.2 All versions, Omnivise T3000 R8.2 SP3 All versions, Omnivise T3000 R8.2 SP4 All versions. The affected system exposes the port of an internal application on the public network interface allowing an attacker to circumven...

Siemens Omnivise T3000 Application Server Input Validation Improperity Vulnerability

The Omnivise T3000 is a distributed control system for fossil fuel and large renewable energy power plants. An improper input validation vulnerability exists in the Siemens Omnivise T3000 Application Server due to an affected system exposing an internal application port on a public network...

Siemens Omnivise T3000 输入验证错误漏洞

The Omnivise T3000 is a distributed control system for fossil fuel and large renewable energy power plants. An improper input validation vulnerability exists in the Siemens Omnivise T3000 Application Server due to an affected system exposing an internal application port on a public network...

Exploit for Race Condition in Openbsd Openssh

0.省流 这本质上是一种统计漏洞：需要进行大量尝试才能赢得竞争条件并成功执行任意代码，攻击者需要克服很多障碍，”Schwa...

PT-2024-5381 · Omnivise · Omnivise T3000 R8.2 Sp3 +2

Name of the Vulnerable Software and Affected Versions: Omnivise T3000 Application Server R9.2 All versions Omnivise T3000 R8.2 SP3 All versions Omnivise T3000 R8.2 SP4 All versions Description: The issue is related to insufficient input validation, which can be exploited by a remote attacker to...

Vulnerabilities fixed in Adobe FrameMaker Publishing Server

Adobe has fixed vulnerabilities in FrameMaker Publishing Server. A malicious party could exploit the vulnerabilities to bypass authentication and potentially take over the system. In particular, systems that are accessible from public networks without additional measures are at increased risk...

Catalog Creation or Change Master Image fails when attempting to create ProvVM

Machine Creation Services actions, such as catalog creation, master image change, or adding additional VMs, may error unexpectedly for failure to create image preparation machine. CDF traces may indicate one of the following: "Error: creating virtual machine failed. AzureWriter-1 timed out while...

Security Bulletin: IBM Content Classification Java API Documentation Frame Injection Vulnerability (CVE-2013-1571)

Abstract The Java API documentation contains a frame injection vulnerability. This is a potential issue only if the Java API documentation that is shipped with the product is hosted on a public network. Content VULNERABILITY DETAILS DESCRIPTION: HTML documentation generated by the Javadoc tool...

Downloads Resources over HTTP in pm2-kafka

Affected versions of pm2-kafka insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the syst...

Downloads Resources over HTTP in npm-test-sqlite3-trunk

Affected versions of npm-test-sqlite3-trunk insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code executio...